Post NFA Migration Clean-up

Important Notification for NFA Partners Only

If you haven’t already, we highly recommend reviewing the current migration documentation here.  As you review the documentation please submit any questions to

  • New NFA account creation will be unavailable on November 30th 2021.
  • NFA will be fully supported until the official sunset -
  • We encourage all partners to watch this video, read all of our supporting KB's and consider preparing for migrations. The entire Nerdio team is here to support and guide all of our amazing partners during this transition.

This Guide will take you through the final steps of removing any remaining NFA assets, hosts and finally the account in NAP.

Now that users have been migrated to the NMM environment, you can turn down the NFA environment. The steps to do so are



SafeDNS was an inclusive feature of NFA and isn't included in NMM.  Partners will need modify current DNS settings and consider what DNS service they will use going forward.

Note: If you imported your desktop image from NFA you may need to uninstall the SafeDNS client from the image.


Steps to remove SafeDNS

1) Firewall

  1. From DC01, open up the DNS Manager and right-click "DC01", then select properties.
  2. From the "Forwarders" tab, click Edit and add an IP address to a public DNS server such as Google  (, or CloudFlare (
  3. From your account in the Nerdio Admin Portal, expand the Network tab on the left and select Firewall.
  4. Click "Add Rule"
  5. Allow outbound traffic from any source using port 53 to the IP you used for the new forwarder.
  6. Ensure that the priority is above the existing system rule titled "Allow DNS to SafeDNS" (use a number lower than 501)
  7. Save the rule and confirm that DNS is functioning as expected.

2) Image(s)


Disable auto-scale on NFA host pools

In NFA portal, navigate to Servers, find your host pool and select Manage Auto Scale from the drop down menumceclip16.png

  1. Shut down all old host pools in NFA portal
  2. Disable auto-scale on all servers / personal desktops (in NFA portal)
  3. Configure auto-scale on servers in NMM portal


Demo Users and Groups

This is an opportunity to remove any UNUSED NFA Demo Users and Groups via NAP

Security Groups

  • Accounting Department Group
  • AVD Users
  • Executive Group
  • Finance Department Group
  • HR Department Group
  • IT Department Group
  • Legal Department Group
  • Marketing Department Group
  • Sales Department Group




    • Andy IT Admin
    • Angie Accounting
    • Chad CEO
    • Sally Sales


*Please also review this guide of additional user objects that may exist from NFA provisioning


Federated Domains and PRX01

  • Unsure what Federation is or how to remove it via Powershell?
    • Read our guide here.
    • Watch our video here.
  • Not using Federation (common)
    • Delete PRX01 from Servers in NMM
  • Want to continue using Federation post migration?


Hosts and Pools

If you did NOT migrate your pool's image delete remaining hosts and host pools via NAP (Ensures removal of Scale Set(s) and Load Balancer)

Locate your "Classic" pools in Nerdio and ensure no users are still logged in


Delete the Pool and Hosts




Golden Image 

You won't be able to delete WVDSH00 in NFA, it must be done directly in Azure or in NMM via the Servers Blade



Destroy your NFA account 

Note: Original Nerdio KB

Note: DO NOT CHECK "Empty out and delete"


  1. DO NOT CHECK this box - leave this box unchecked to preserve existing resources in Azure that have been migrated
  2. Type in AZURE to confirm your selection
  3. Select Keep for Microsoft 365 resources - this will require a manual clean prior NFA service accounts used in NFA
  4. Type in M365 to confirm your selection


Configure Microsoft Entra Connect on DC01

During the initial provisioning process Nerdio configured Microsoft Entra Connect on DC01 and utilized the Express Settings Option.

During the Destroy process Nerdio removes all default users created during provisioning.  This removal includes the Sync_DC01 directory sync account used with Microsoft Entra Connect.

Best practices following Destroying the NFA account is to reinstall Microsoft Entra Connect on DC01 and configure a new Sync account.  Nerdio recommends using the "Express Settings" option unless you have customized Microsoft Entra Connect already.  Examples of customization would include enabling Password Writeback.

**If you're unsure of how to configure Microsoft Entra Connect, we recommend opening a ticket with Microsoft or your CSP.**



Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.